exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam

Exam SC-200 topic 1 question 43 discussion

Actual exam question from Microsoft's SC-200
Question #: 43
Topic #: 1
[All SC-200 Questions]

HOTSPOT
-

You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.

Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure AD.

You need to identify the 100 most recent sign-in attempts recorded on devices and AD DS domain controllers.

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
trashbox
Highly Voted 1 year, 8 months ago
1. IdentityLogonEvents The final column requires "AccountUpn." Therefore, "IdentityInfo" would not be appropriate. Since it's about sign-in attempts to ADDS domain controllers, "IdentityLogonEvents" would be the suitable choice. 2. union We need to extract the latest 100 sign-in attempts from BOTH "Devices" AND "ADDS domain controllers." Using "union" would be optimal.
upvoted 12 times
donathon
1 year, 8 months ago
IdentityInfo does have AccountUpn. But since the query is about logon events, then IdentityLogonEvents would contain the correct data while IdentityInfo just have the information about the Identity and not the logonevents.
upvoted 4 times
...
Nikki0222
7 months, 2 weeks ago
Correct
upvoted 1 times
...
...
mipe64
Highly Voted 1 year, 7 months ago
DeviceLogonEvents | extend Table = 'DeviceLogonEvents' | take 100 | union ( IdentityLogonEvents | extend Table = 'IdentityLogonEvents' | take 100 ) | project-reorder Timestamp, Table, AccountDomain, AccountName, AccountUpn, AccountSid | order by Timestamp asc
upvoted 5 times
...
user636
Most Recent 9 months, 2 weeks ago
I think the images for the answers are swapped in the question. You need to select the "Union" operator first and then the second table name "IdentityLogonEvents". FirstTable | take 100 | union ( SecondTable | take 100) | project TimeGenerated, AccountName Ref: https://learn.microsoft.com/en-us/training/modules/build-multi-table-statements-kusto-query-language/2-use-union-operator
upvoted 2 times
...
wheeldj
1 year, 1 month ago
Can explain how use the take operator in this query would return the 100 MOST RECENT logons? I thought Take returned a random selection. wouldn't it be better to use Top instead? ie - top 100 by Timestamp
upvoted 3 times
...
smanzana
1 year, 6 months ago
Answer: IdentityLogonEvents Union
upvoted 1 times
...
danb67
1 year, 7 months ago
Query syntax is all wrong in question. Imreed is correct with this syntax.
upvoted 3 times
Ramye
1 year, 3 months ago
Yes, I just tested with Imreed's query. Didn't get any error but the result came empty as i dont's have relevant info.
upvoted 2 times
...
...
imreed
1 year, 8 months ago
DeviceLogonEvents | extend Table = 'table1' | take 100 | union IdentityLogonEvents | extend table = 'table2' | take 100 | project-reorder Timestamp, Table, AccountDomain, AccountName, AccountUpn, AccountSid | order by Timestamp asc Answer - IdentityLogonEvents Union
upvoted 4 times
...
mali1969
1 year, 9 months ago
DeviceLogonEvnets | extend Table = 'table1' | take 100 | DeviceLogonEvent ( | union | extented table = 'table2' | take 100 ) | project-reorder Timestamp, Table, AccountDomain, AccountName, AccountUpn, AccountSid | order by Timestamp asc DeviceLogonEvent Union
upvoted 2 times
...
Fez786
1 year, 9 months ago
Need someone to confirm the correct answer please. NO chatGPT lickers or opinion prophets please.
upvoted 1 times
danb67
1 year, 8 months ago
Or you could actually throw up a lab in 20 mins and test it. Just a thought.
upvoted 9 times
...
...
Fez786
1 year, 9 months ago
This new question arrived today 9th september 2033
upvoted 1 times
Unlikely
1 year, 8 months ago
Fez, since you've had the question IRL: is the syntax here correct? shouldn't union be before parenthesis?
upvoted 1 times
Fez786
1 year, 8 months ago
i have no idea. i am learning just like you. therefore i dont know whats the correct answer
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...